What is the CVSS score of CVE-2026-26312?

CVE-2026-26312 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Stalwart are affected by CVE-2026-26312?

Organizations using Stalwart Mail Server should be aware of notable risk from CVE-2026-26312 rated CVSS 6.5. Exploitation could compromise the security of affected deployments.

Is there a public PoC exploit available for CVE-2026-26312?

Yes, a public proof-of-concept exploit is available for CVE-2026-26312. Prioritise patching immediately. EPSS: 0.0%.

Stalwart CVE-2026-26312

MEDIUM

Allocation of Resources Without Limits or Throttling (CWE-770)

2026-02-19 security-advisories@github.com

Denial Of Service Stalwart

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

PoC Detected

Feb 20, 2026 - 19:40 vuln.today

Public exploit code

CVE Published

Feb 19, 2026 - 21:18 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

Stalwart is a mail and collaboration server. A denial-of-service vulnerability exists in Stalwart Mail Server versions 0.13.0 through 0.15.4 where accessing a specially crafted email containing malformed nested message/rfc822 MIME parts via IMAP or JMAP causes excessive CPU and memory consumption, potentially leading to an out-of-memory condition and server crash. The malformed structure causes the mail-parser crate to produce cyclical references in its parsed representation, which Stalwart then follows indefinitely. Version 0.15.5 contains a patch.

AnalysisAI

Denial-of-service in Stalwart Mail Server versions 0.13.0 through 0.15.4 allows authenticated users to crash the server by sending a specially crafted email with malformed nested MIME parts through IMAP or JMAP, triggering infinite loops and resource exhaustion. The vulnerability requires valid credentials to exploit and public exploit code exists, but no patch is currently available for affected versions.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 6.5 (MEDIUM). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this flaw, an out-of-memory condition and server crash.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running Stalwart Mail Server and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-26312 vulnerability details – vuln.today

Back

Stalwart CVE-2026-26312

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code